« All posts

Unisoc T606/T616 Backdoors Enable Zero-Click Root on Budget Androids

Chained BootROM, modem RCE, and backdoored OEM apps let attackers silently root Unisoc-based budget Android phones with zero user interaction.

Security researchers have documented "Operation Silent Rescue," an attack chain affecting millions of budget Android phones across Latin America built on Unisoc T606/T616 chipsets, including Motorola's Moto G04s, G24, G34, and E24 running Android 11-13. Rated CVSS 9.8, the chain combines an unpatchable BootROM flaw (CVE-2022-38694) with a modem remote-code-execution bug (CVE-2025-31718) that can be triggered over rogue LTE signals with no user interaction required.

Once initial access is gained through the modem, several pre-installed system apps — including Spreadtrum's SGPS middleware, the SIM Toolkit, Motorola's modem-stats service, and installer packages from Digital Turbine and InMobi — act as privilege-escalation bridges. These apps ship with exported components and dangerous permissions such as INSTALL_PACKAGES and WRITE_SECURE_SETTINGS, letting an attacker move from network-level access to full root control, silently install banking trojans, intercept SMS-based 2FA codes, and track location in real time.

For engineers, the case is a reminder that vendor firmware and OEM-bundled apps can quietly reintroduce root-equivalent attack surface even when the base OS is otherwise current. Because the BootROM flaw is unfixable and patch cycles for budget devices in the region are notoriously slow, the exposure is expected to survive factory resets and remain a long-term supply-chain risk for mobile banking users.